Hi,
I need more explanation to understand and accept this patch. You are very often just stating what you are doing but not why.
On Sun, 2018-04-29 at 11:16 +0200, Peter Müller wrote:
Update some values in the OpenSSH server configuration at /etc/ssh/sshd_config to secure values. Changes are also applied on existing installations via update.sh script.
This partly solves #11538 and performs these changes:
- never accept empty passwords for authentication
That was default. No change needed really.
- make sure OpenSSH always logs properly
What went wrong before?
- make sure permissions of .ssh/authorized_keys are checked (StrictModes)
ACK.
- limit maximum concurring sessions to 5
???
- make sure custom rhosts files are always ignored
That was default as well
- limit maximum authentication tries to 3
This is also default.
The logging options were not applied during build correctly, which is fixed now. Changes are not expected to break existing systems.
Expected?
There is no need to stop the ssh daemon when running the update. That will cause that users who are running the update via SSH are losing their connection.
A restart at the very end is sufficient.
-Michael
Signed-off-by: Peter Müller peter.mueller@link38.eu
config/rootfiles/core/121/update.sh | 12 ++++++++++++ lfs/openssh | 9 +++++++-- 2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/config/rootfiles/core/121/update.sh b/config/rootfiles/core/121/update.sh index 87d5f6ebd..d3ceb84aa 100644 --- a/config/rootfiles/core/121/update.sh +++ b/config/rootfiles/core/121/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done
# Stop services +/etc/init.d/sshd stop
# Extract files extract_files @@ -56,8 +57,19 @@ rm -rvf \ /usr/share/nagios/ \ /var/nagios/
+# Update SSH configuration +sed -i /etc/ssh/sshd_config \
- -e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \
- -e 's/^#LogLevel INFO$/LogLevel INFO/' \
- -e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \
- -e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \
- -e 's/^#StrictModes .*$/StrictModes yes/' \
- -e 's/^#MaxSessions .*$/MaxSessions 5/' \
- -e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/'
# Start services /etc/init.d/apache restart +/etc/init.d/sshd start
# This update needs a reboot... touch /var/run/need_reboot diff --git a/lfs/openssh b/lfs/openssh index 203446370..90279ac98 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -91,10 +91,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) -e 's/^#?IgnoreUserKnownHosts .*$$/IgnoreUserKnownHosts yes/' \ -e 's/^#?UsePAM .*$$//' \ -e 's/^#?X11Forwarding .*$$/X11Forwarding no/' \
-e 's/^#\?SyslogFacility AUTH .*$$/SyslogFacility AUTH/' \-e 's/^#\?LogLevel INFO .*$$/LogLevel INFO/' \
-e 's/^#SyslogFacility AUTH$/SyslogFacility AUTH/' \-e 's/^#LogLevel INFO$/LogLevel INFO/' \-e 's/^#PermitEmptyPasswords no$/PermitEmptyPasswords no/' \-e 's/^#MaxAuthTries .*$/MaxAuthTries 3/' \-e 's/^#StrictModes .*$/StrictModes yes/' \-e 's/^#MaxSessions .*$/MaxSessions 5/' \-e 's/^#IgnoreRhosts .*$/IgnoreRhosts yes/' \